I noticed a recent flaw in Facebooks security resolution process recently. After being asked to confirm my identity simply because I was using a different computer, I apparently took too long to identify my friends in their photos. However, I was able to try two more times before being locked out. In which case Facebook provided the exact same photos with the same selection of people to name in order to confirm my identity. What this means is that I could conceivably attempt to logon to a victims Facebook account from an unauthorized device to get such a prompt, and then take my time to research the answers.
Twenty minutes was the approximate time before my session expired, which gives roughly one hour to come up with the answers. This may not seem terribly difficult given the proclivity with which people tag their friends or publish photos on blogs. It would be even easier if the victim and attacker had a mutual friend in common on Facebook, as they would likely be able to see a lot more photos. In fact, perhaps even searching each name in Facebook could show the face, which would allow for the questions to be answered correctly.
This isn’t a minor flaw in any sense of the word, however it does seem quite possibly that the process as it is now implemented could be abused in conjunction with other vulnerabilities to gain access to someone’s account. I hope that at the least this will foster some interesting discussion on why what I have described is a non issue, or result in a fix.
All that is wrong with the world... 
I love your blog, mostly cause we agree on so damned much, needless to say I’ve decided to start some rather intensive psychotherapy… that aside.
The real problem with this Facebook approach is that there seems to be a trend of just throwing some random task at a user and calling it “security.” Unawares users are losing even more touch with what security is, yet they are then told to “act securely” at their jobs and on their home computers.
I believe this is part of an ongoing trend to obfuscate information security as a means of side-stepping the fact that as a whole, the industry does a terrible job. That’s why you have so many people on here arguing against the value of Mandatory Access Controls and other such tools… something that actually forces people to think about how systems are going to be used?! Good god, a failure there is so obvious, better to rely on stopping threats, everyone knows threats are constantly evolving and impossible to stay on top of all of them, some failures are normal and acceptable.
(As an aside, BofA has a godawful solution, where you login and it asks you a secret question, one of three. The idea being that a keystroke recorder or such will only get your password and one of the three answers. Of course, if the attacker fails to answer the question right twice in a row, BofA will move to a next secret question, randomly, eventually returning you to the original question.)
Comment by rob — February 3, 2012 @ 10:27 pm